Originally posted by minotauro i´m see this using netstat -an:
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED
How to identify the service (or script) running in this port? Always the script (after reboot) change the port.
I´m ran ps -aux but no see not different.
netstat -anp (the p option will give you pid#) OR
lsof |grep IPv4 (give you more info on your port + pid)
Then once you have the pid or even the name now:
ps -aux |grep <pid#> (to find out which program is using pid, my guess is its "named" )
"tcpdump -i eth<X> -p udp -n"
This will give you an idea what is going through your udp and I bet you will find that 32769 port is used for DNS queries as source port from your box. Do "nslookup newdomain.com" and watch the tcpdump run.
So why 32769? I believe distros like RH changed the starting high-port >1023 to >32769. Search google.
As suggested above, you can also download helpful programs such as chkrootkit, disconnect your pc from network and run it.
I would also look into some filesystem integrity checking tools such as Aide, Tripwire that can help you watch any changes in your file system.